Best Practices for Preventing Phishing Attacks in Healthcare

Phishing is the most common way that hackers gain access to healthcare networks to steal sensitive data and install malware and ransomware. Here we list the most important best practices for preventing phishing attacks on healthcare organizations and how to limit the damage that is caused when phishing attacks are successful.

Phishing Defenses are Necessary for HIPAA Compliance

While the HIPAA text does not specifically call for the adoption of best practices for preventing phishing attacks, the HIPAA Security Rule (164.306) does require HIPAA-regulated entities to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Since phishing is one of the main ways that threat actors gain access to email accounts and healthcare networks, phishing defenses are an important part of HIPAA Security Rule compliance.

Phishing is concerned with tricking individuals into taking actions that provide threat actors with access to networks for conducting follow-on attacks or obtaining sensitive information. Defending against phishing attacks, therefore, needs to include technical measures for blocking attacks but also training for the workforce to improve awareness of the threat and to reduce susceptibility to phishing. The HHS’ Office for Civil Rights has emphasized the importance of adopting best practices for preventing phishing attacks in its cybersecurity newsletters and the importance of implementing technical safeguards and end user training for HIPAA compliance.

Recommended Best Practices for Preventing Phishing Attacks

The recommended best practices for preventing phishing attacks involve a combination of technical and administrative measures. Healthcare organizations should conduct a risk analysis covering all data, personnel, devices, systems, and facilities and develop a risk management strategy to reduce risks to a low and acceptable level, which should include technical defenses to block phishing attacks at source and prevent employees from encountering threats, measures to limit the damage that can be caused, and real time monitoring to detect attacks quickly.

Technical Defenses Against Phishing Attacks

There are many protective measures that healthcare organizations can implement to block phishing attacks, but none of these best practices for preventing phishing attacks will be effective in isolation. The key to defending against phishing attacks is to adopt a defense-in-depth strategy that includes multiple layers of protection. Employee training and an email security solution are important, but other measures also need to be implemented.

Email Security Solutions

An email security solution is arguably the most important technical defense against phishing as most – but by no means all – phishing threats are delivered via email. Email security solutions will inspect inbound messages and perform a range of checks to determine whether emails are malicious, suspicious, or benign, and will either deliver, block, or quarantine the messages accordingly. Email security solutions need to have a high catch rate, but also a low positive rate. If genuine emails are sent to a spam folder along with phishing emails, employees will have to search the spam folder for genuine messages and there is a greater chance that phishing emails will be opened. Email security solutions should have anti-malware capabilities, including signature-based detection for identifying known malware threats and behavioral detection such as sandboxing for identifying zero-day threats.

Web Filtering

One of the most often neglected best practices for preventing phishing attacks is implementing a web filtering solution. Threat actors are constantly developing new methods to bypass email security solutions and mask their malicious links, such as hiding malicious URLs in password-protected attachments or hosting malware on legitimate cloud services such as Google Drive, and Dropbox, which are difficult for email security solutions to block. Web filters improve protection against phishing by blocking attempts to visit these malicious URLs at the time a user clicks a link.

Web filters will block redirects to malicious websites through general web browsing and can be used to carefully control the web content that can be accessed. Web filters also provide visibility into all web traffic for investigations and can block command-and-control callbacks from malware.

Access Controls and Multi-factor Authentication

The HIPAA Security Rule requires access controls to be implemented to limit access to ePHI to authorized individuals. Accounts are usually secured using passwords, and phishing often aims to steal those passwords. Single-factor authentication gives attackers an opportunity for access. If a password is obtained in a phishing attack, it can be used to remotely access an account. 2-factor or multi-factor authentication should be implemented to strengthen authentication. In addition to a password, another factor is required before access is granted. Healthcare organizations should also consider passwordless authentication.

Use a Password Manager

One of the most underemployed best practices for preventing phishing attacks is to use a password manager. Password managers are used to create complex passwords and store them securely in an encrypted password vault. These solutions provide a degree of protection against phishing through the auto-fill feature. When a user lands on a website that requires them to log in, the user’s username and password will be automatically filled into the login box if a password associated with the site is in the user’s password vault. If the user lands on a spoofed website, the password manager will not recognize the site and will not auto-fill the password, indicating to the user that they are not on the correct webpage. Password managers, therefore, protect against the spoofed websites used for credential phishing.

Install Antivirus Software

Many phishing attacks are conducted for distributing malware. Emotet, widely regarded as the most dangerous malware variant, is mostly distributed in phishing emails. Email security solutions should be used with anti-malware capabilities, but it is also important to install antivirus software on all endpoints, and ideally, advanced solutions that have signature-based and behavior-based detection capabilities.

Patch Promptly

Best practices for preventing phishing attacks include standard cybersecurity best practices such as patching promptly and updating all software to the latest version, especially web browsers. Users are often redirected to malicious websites that probe for unpatched vulnerabilities and include malicious code that can exploit vulnerabilities to download malware. Prompt patching will ensure the window for exploiting known vulnerabilities is limited.


In addition to technical defenses against phishing, the HIPAA Security Rule requires security awareness training to be provided to the workforce. Employees need to be taught cybersecurity best practices to eliminate risky behaviors and discover how to spot a phishing email. HIPAA-regulated entities should not assume that employees know about cybersecurity risks. They need to be educated and that education needs to be regularly reinforced. A once-a-year training session alone is not going to be sufficient.

The main aims of security awareness training are to develop a security culture, promote good cyber hygiene, and create a human firewall to complement technical defenses against phishing and other cyberattacks. A strong anti-phishing program is required to raise awareness of the threat from phishing and help employees develop the skills they need to recognize and avoid threats. Security awareness training should be provided through a structured training program, which should deliver engaging content. Training sessions should be augmented with exercises, videos, infographics, security newsletters, quizzes, and other fresh content to keep users engaged.

Phishing simulation exercises should be conducted to test whether training is translating into improvements in security awareness. Phishing simulations can help to identify users who have not taken their training on board, but can also identify weaknesses in the training program. If many employees fall for a specific type of phishing email, it is clear that there is a gap in training that needs to be addressed. Phishing simulation exercises are concerned with proactively assessing susceptibility to phishing and addressing weaknesses before they can be exploited.

Incident Response and Remediation

Even the most comprehensive phishing defenses can be bypassed, and employees will make mistakes. It is therefore essential to develop an incident response plan and mitigation strategy to ensure that in the event of a successful attack, prompt action can be taken to minimize the damage that is caused.

Healthcare organizations should develop and test their incident response plan. Everyone involved in the breach response must know the actions they need to take to ensure the fastest possible response. A threat reporting mechanism should be implemented to allow employees to report threats to their security team quickly. A one-click threat reporting add-on for an email client can alert the security team to a phishing email that has bypassed the secure email gateway, allowing rules to be updated to protect against future threats.

Real-time monitoring is also required to identify attacks that have succeeded. This can be provided by intrusion prevention and detection systems (IDPS) that continuously monitor the network for anomalous behavior, and outbound scanning of emails to identify compromised mailboxes.


There are many best practices for preventing phishing attacks, which, along with other recognized security practices, will improve resilience to phishing and other types of cyberattacks. When combined, these anti-phishing best practices will allow healthcare organizations to improve their security posture, prevent costly data breaches, and avoid compliance penalties.